Check digital signatures on software packages | Deep Security

Deep Security 11 has reached end of support. Use the version selector (above) to see more recent versions of the Help Center.

Check digital signatures on software packages

Before you install Deep Security, you should check the digital signature on the software ZIP packages and installer files. A correct digital signature indicates that the software is authentically from Trend Micro and hasn’t been corrupted or tampered with.

You can either:

You can also validate the software’s checksums, as well as the security updates’ and Deep Security Agent modules’ digital signature. See How agents validate the integrity of updates and Linux Secure Boot support for agents.

Check the signature on software ZIP packages

The ZIP files for the Deep Security Agents and Deep Security Virtual Appliance and online help are digitally signed. The signatures can be verified with the jarsigner Java utility.

  1. Install the latest Java Development Kit on your computer.
  2. Download the ZIP.
  3. Use the jarsigner utility within the JDK to check the signature. The command is:

    jarsigner -verify -verbose -certs -strict <ZIP_file>

    Example:

    jarsigner -verify -verbose -certs -strict Agent-RedHat_EL7-11.2.0-124.x86_64.zip

  4. Read any errors as well as the content of the certificate to determine if the signature can be trusted.

    In addition to checking the agent ZIP file, you can also check the agent installer file.

Check the signature on installer files (EXE, MSI, RPM or DEB files)

The installers for the Deep Security Agent, Deep Security Manager, and Deep Security Notifier are digitally signed using RSA. The installer is an EXE or MSI file on Windows, an RPM file on Linux operating systems (Amazon, CloudLinux, Oracle, Red Hat, and SUSE), or a DEB file on Debian and Ubuntu.

The instructions below describe how to check a digital signature manually. If you’d like to automate this check, you can include it in your agent deployment scripts. For more on deployment scripts, see Use deployment scripts to add and protect computers.

Follow the instructions that correspond to the type of installer file you want to check.

Check the signature on an EXE or MSI file

  1. Right-click the EXE or MSI file and select

    Properties

    .

  2. Click the

    Digital Signatures

    tab to check the signature.

Check the signature on an RPM file

ClosedFirst, install GnuPG

Install GnuPG on the agent computer where you intend to check the signature, if it is not already installed. This utility includes the GPG command-line tool, which you’ll need in order to import the signing key and check the digital signature.

GnuPG is installed by default on most Linux distributions.

ClosedNext, import the signing key

  1. Look for the

    3trend_public.asc

    file in the root folder of the agent’s ZIP file. The ASC file contains a GPG public signing key that you can use to verify the digital signature. If you cannot find the

    3trend_public.asc

    file in the agent ZIP, you’ll need to use Deep Security Agent 11.0 Update 18 or a later update.

  2. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is: 

    c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

  3. On the agent computer where you intend to check the signature, import the ASC file. Use this command:

    Commands are case-sensitive.

    gpg –import 3trend_public.asc

    The following messages appear:

    gpg: directory `/home/build/.gnupg’ created

    gpg: new configuration file `/home/build/.gnupg/gpg.conf’ created

    gpg: WARNING: options in `/home/build/.gnupg/gpg.conf’ are not yet active during this run

    gpg: keyring `/home/build/.gnupg/secring.gpg’ created

    gpg: keyring `/home/build/.gnupg/pubring.gpg’ created

    gpg: /home/build/.gnupg/trustdb.gpg: trustdb created

    gpg: key E1051CBD: public key “Trend Micro (trend linux sign) <[email protected]>” imported

    gpg: Total number processed: 1

    gpg: imported: 1 (RSA: 1)

  4. Export the GPG public signing key from the ASC file:

    gpg –export -a ‘Trend Micro’ > RPM-GPG-KEY-CodeSign

  5. Import the GPG public signing key to the RPM database:

    sudo rpm –import RPM-GPG-KEY-CodeSign

  6. Verify that the GPG public signing key has been imported:

    rpm -qa gpg-pubkey*

  7. The fingerprints of imported GPG public keys appear. The Trend Micro one is:

    gpg-pubkey-e1051cbd-5b59ac99

    The signing key has now been imported and can be used to check the digital signature on the agent RPM file.

ClosedFinally, verify the signature on the RPM file

Instead of checking the signature on the RPM file manually, as described below, you can have a deployment script do it. See Use deployment scripts to add and protect computers for details.

Use this command:

rpm -K Agent-PGPCore-<OS agent version>.rpm

Example:

rpm -K Agent-PGPCore-RedHat_EL7-11.0.0-950.x86_64.rpm

Make sure you run the above command on the Agent-PGPCore-<…>.rpm file. (Running it on Agent-Core-<…>.rpm does not work.)

If the signature verification is successful, the following message appears:

Agent-PGPCore-RedHat_EL7-11.0.0-950.x86_64.rpm: rsa sha1 (md5) pgp md5 OK

Check the signature on a DEB file

ClosedFirst, install the dpkg-sig utility

Install dpkg-sig on the agent computer where you intend to check the signature, if it is not already installed. This utility includes the GPG command-line tool, which you’ll need in order to import the signing key and check the digital signature.

ClosedNext, import the signing key

  1. Look for the

    3trend_public.asc

    file in the root folder of the agent’s ZIP file. The ASC file contains a GPG public signing key that you can use to verify the digital signature. If you cannot find the

    3trend_public.asc

    file in the agent ZIP, you’ll need to use Deep Security Agent 11.0 Update 18 or a later update.

  2. (Optional) Verify the SHA-256 hash digest of the ASC file using any hashing utility. The hash is: 

    c59caa810a9dc9f4ecdf5dc44e3d1c8a6342932ca1c9573745ec9f1a82c118d7

  3. On the agent computer where you intend to check the signature, import the ASC file to the GPG keyring. Use this command:

    gpg –import 3trend_public.asc

    The following message appears:

    gpg: key E1051CBD: public key “Trend Micro (trend linux sign) <[email protected]>” imported

    gpg: Total number processed: 1

    gpg: imported: 1 (RSA: 1)

  4. (Optional) Display the Trend Micro key information. Use this command:

    gpg –list-keys

    A message similar to the following appears:

    /home/user01/.gnupg/pubring.gpg

    ——————————-

    pub 2048R/E1051CBD 2018-07-26 [expires: 2021-07-25]

    uid Trend Micro (trend linux sign) <[email protected]>

    sub 2048R/202C302E 2018-07-26 [expires: 2021-07-25]

ClosedFinally, verify the signature on the DEB file

Instead of verifying the signature on the DEB file manually, as described below, you can have a deployment script do it. See Use deployment scripts to add and protect computers for details.

Enter this command:

dpkg-sig –verify <agent_deb_file>

where <agent_deb_file> is the name and path of the agent DEB file. For example:

dpkg-sig –verify Agent-Core-Ubuntu_16.04-11.0.0-1075.x86_64.deb

A processing message appears:

Processing Agent-Core-Ubuntu_16.04-11.0.0-1075.x86_64.deb…

If the signature is verified successfully, the following message appears:

GOODSIG _gpgbuilder CF5EBBC17D8178A7776C1D365B09AD42E1051CBD 1568153778